Why Antivirus for Servers is Overrated

It may seem counterintuitive to advise against antivirus, but some servers don’t actually need it.  If the server doesn’t connect to the outside world and doesn’t have any interaction from non-admin users, what do you need antivirus for?  In fact, in many cases antivirus may actually hurt the performance and stability of your server.  Crazy, right?!

If you set up the server properly, patch it regularly, and maintain good security practices you usually don’t need antivirus.  Actually, antivirus can sometimes make you more vulnerable because hackers can exploit the vulnerabilities of the antivirus as well as the vulnerabilities of the operating system in order to access your server.  More vulnerabilities equal more opportunities for hackers. 

Now, I did say “most” servers don’t need antivirus, which means that there are some instances when you WILL need antivirus.  So which servers should have antivirus and which servers shouldn’t?  Here’s a simple breakdown: 

Types of Servers:

  • Exchange: Use Exchange-specific antivirus solution.
  • SharePoint: If you trust that the downloader and uploader workstations are secure, you don't really need AV at the SharePoint level.  If you aren't sure or you just want to be extra careful, we recommend (and so does Microsoft) that you use a SharePoint VS API-based solution.  
  • AD/DC: Antivirus not necessary unless users interact with the server (if there are multiple roles on same server).
  • DHCP/DNS: Antivirus not necessary unless users interact with the servers (if there are multiple roles on the same server).
  • File Server: Set antivirus to scan on write only. This server is only getting a virus is if a user accidentally uploads a file they shouldn’t.
  • OCS: Since office communication may contain links to outside content or actual file uploads, antivirus is recommended.
  • Utility Servers: These servers connect to file stores or other web stores so scanning on write is advised.
  • SQL/Database:  Don’t worry about antivirus unless non-admin users are interacting with the server (they shouldn’t be, btw).
  • Web Server: Web servers always need antivirus because users are going to be uploading files and/or linking to other sites.

Things to Remember

If you’re setting up a new server:  Make sure to wait until you’ve done all your configuration and have installed all the software or server roles before adding any antivirus so that it doesn’t block any registry or system file changes (and trust me, it will block stuff). 

If you’re adding software: First of all, make sure you’re adding software from a trusted source (says Captain Obvious).  If you’re adding software to a server that has antivirus already, make sure to disable all the AV features before adding the software or you'll encounter the same issue mentioned above.  Then, don’t forget to re-enable the AV features.  

If you need an AV Solution: Most importantly, you don’t want to use a generic one-size-fits-all antivirus solution on your servers.  If there’s antivirus made specifically for the software on your server, use that.  It may cost more, but trust us, it’s worth it because that generic stuff isn’t going to offer you much protection. For some of the servers above, it's actually better to have no antivirus at all than to have a generic solution.

You remember the story of the three little pigs?  The first two pigs were schmucks and used cheap materials to build their homes.  Using generic AV is like using sticks and straw to keep out the big bad wolf...it's not going to help you much.  If you’re going to put in the time, money, and effort to build a house (or to install antivirus), you might as well make it good.  

If you or your team need a little refresher in Information Security, check out the courses linked below:

Employee IT Security Awareness

Fundamentals of IT Security

Certified Information Systems Security Professional (CISSP)

EC-Council Certified Ethical Hacking and Countermeasures (CEHv9)

Published August 24, 2016